Information Warfare Strategies (SRF-IWS): Offensive Operations at the Davos Forum

Posted on January 19, 2024 by Simon Roses

Disclaimer: Everything described here is pure imagination and any resemblance to reality is coincidental. The author is not responsible for the consequences of any action taken based on the information provided in the article.

The Davos Forum organized by the World Economic Forum (WEF) is the economic event of the year that brings together thousands of people from all over the world, from politicians to well-known businessmen, in the town of Davos, Switzerland.

Thousands of people gather in Davos from political personalities and businesses to support, administrative and security personnel. We define as primary objectives politicians (presidents, prime ministers, and the like) and relevant businessmen (presidents and CEOs); and secondary objectives such as support personnel, who, by compromising their security, allow the surveillance or exploitation of primary objectives.

During the Davos Forum, the security of the people is protected between police, military and security personnel, different security rings, access control, special permits for vehicles, anti-drone systems, etc. are established.

For this exercise we will assume that a Nation-State deploys a unit of cyber operatives and field agents in Davos to carry out offensive operations such as spying, installing implants or other subversive activities.

This operation is divided into different phases: preparations before the forum, actions during the forum and post-forum actions. The post-forum actions would be related to persistence, command and control of the objectives and exfiltration of information that we are not going to comment on in this post. Therefore, we are going to focus on the phases before and during the forum.

Preparations before the forum

Preparations prior to the offensive campaign during Davos would include at least the following points:

  1. Selection of objectives: We have previously defined between primary and secondary objectives, at this point we are going to focus on the primary ones only. Politicians and businessmen usually carry high-end smartphones, mainly the latest model iPhone or an older model. Cyber operatives will use OSINT techniques to search for images or videos that can be used to identify the smartphone model. They can also search for public documentation on the acquisition of devices, such as the Spanish Congress did in 2023 with the purchase of iPhones 13 for all deputies.
  2. Identification of RF devices: By using portals such as Wigle and similar, cyber operatives can obtain names of WIFI access points, Bluetooth devices and mobile phone towers in the geographical area. This information is useful for planning RF attacks, also known as proximity attacks, which are generally unknown and undervalued by organizations.
  3. Identification of CCTV devices: Using portals such as Shodan and similar, cyber operatives can search for cameras in Davos to compromise their security and use them for surveillance and monitoring tasks. In the following images we see some Google Dorks , also known as Google Hacking, to search for cameras on the Internet and on the Hacked.camara web portal we can find hacked cameras in the Davos area.
  4. Development and/or purchase of Exploits: Exploits are the cyber weapons that cyber operatives will use to compromise the targets’ devices. Zero-day vulnerability exploits (vulnerabilities not known to the manufacturers and unpatched) will surely be necessary for systems such as Windows, MacOS, iPhone (iOS) and Android. These types of exploits are expensive (from hundreds of thousands to millions of euros) and nowadays it is usually necessary to have several to be able to compromise the security of a device and be able to bypass all security levels. To get an idea of the cost and complexity, I recommend reading about Operation Triangulation, a recent campaign against a well-known cybersecurity manufacturer in which some of its iPhones were compromised using several zero-day exploits.
  5. Development of Implants: Once access is achieved, it is necessary to deploy implants in the compromised systems to control them and exfiltrate information. As with exploits, cyber operatives must have implants for the different Windows, MacOS, iPhone (iOS) and Android systems. These implants can be developed or purchased on the market and the reality is that many times they do not have to be anything sophisticated to achieve good results. A real example is the use of Pegasus spyware to spy on politicians in Europe.
  6. Equipment: Cyber operatives will have to carry all the software and hardware equipment they may need such as: laptops, WIFI access points, “Lock Picking” tools, antennas, drones, WIFI and Bluetooth adapters, offensive hardware (see my article about it to get an idea), cameras, microphones, and a long etcetera.

Image: Davos devices seem in Wigle

Image: Google Dorks

Image: Hacked CCTV at Davos

Good preparation is crucial for successful cyber-attacks during Davos.

During the forum

During the days of the Davos Forum, cyber operatives can execute a wide range of cyber-attacks to achieve their objectives. Next, we will look at possible attacks and with real examples when possible.

  1. Deployment of fake phone towers to intercept traffic and/or send exploits to mobile phones. These devices are also known as IMSI-catcher. Cyber operatives could deploy these devices before the event, but for their operational security (OPSEC) they decide to use this attack during the event. A real case was the detection of fake cell towers around the US White House.
  2. Social engineering: This old and well-known attack still works, although it has been modernized with the use of emails, SMS, and instant messaging (IM). Without a doubt, female operatives in Davos could gain a wealth of valuable information or access to targets’ electronic devices that would allow them to install an implant. A real case is the use of female Russian spies to infiltrate NATO.
  3. USB Drop attack: consists of leaving USBs lying on the floor or in some visible place such as a table and containing malware. When they are found and someone inserts them into a computer to see what’s inside, exploiting human curiosity, and perhaps returning it to its owner, it is infected by malware and now the cyber operatives control the device. A well-known and simple offensive programming language is DuckyScript, supported by a multitude of offensive devices, and which allows you to create scripts with payloads for Windows, MacOS, Linux, iPhone (iOS) and Android. I recommend the payloads repository available to understand its capabilities. The following image is a well-known script to steal passwords on Windows in a matter of seconds using a USB Rubber Ducky, a known offensive device.
  4. WIFI attacks: another well-known attack is to attack WIFI access points or create malicious WIFI points. There are many offensive devices such as the popular WIFI Pineapple although a laptop, a Wi-Fi card and a good antenna are sufficient. A real case is the use of drones equipped with offensive devices such as the WIFI Pineapple that allow them to land on a rooftop to launch WIFI attacks, as happened in the US against a financial company. Cyber operatives can also walk around the Davos area with covert offensive devices that allow them to break WIFI networks automatically or capture the “handshakes” of WIFI connections, to break them and gain access. All access points and WIFI clients are susceptible to different attacks.
  5. Bluetooth attacks: Bluetooth attacks are on the rise, although they require proximity, they can be devastating since in some cases they allow control of the victim device, and best of all, they are undervalued by most organizations. There are many attacks available but two attacks that cyber operatives could use to compromise the security of devices is BlueBorne and a new attack on the Bluetooth protocol has recently been published affecting Android, MacOS, iPhone (iOS) and Linux that connects a fake keyboard without user approval. Today billions of devices remain vulnerable to these attacks.

Image: DuckyScript

Despite the high security measures during the Davos Forum, it is undoubtedly a very interesting objective for a Nation-State with so many politicians and businessmen concentrated in the same place.

As we have seen throughout the article, the possibility of offensive operations in Davos is a reality and all necessary physical and digital security measures must be taken.

Leave me your comment on the article, please, and what topics would you like me to go into more depth?

— See you on @simonroses

Posted in Hacking Etico, RF, Security | Tagged , , , | Leave a comment

Modern Wardriving

Posted on December 22, 2023 by Simon Roses

Let’s start by defining the word Wardriving: it is the search for WIFI wireless networks from a vehicle equipped with a computer. This would be the classic definition. I define modern wardriving as the search for WIFI networks, Bluetooth devices and GSM towers independently whether we are in any type of vehicle (plane, boat, bicycle, scooter, skateboard, etc.) or even walking.

I have been analyzing wireless networks since the beginning of 2000 and in 2022 I obtained the well-known Offensive Security Wireless Professional (OSWP) certification, you can read my post about it. Below is an image of the old cards that I used at that time for wardriving and WIFI audits that I still have out of nostalgia.

Modern wardriving requires more advanced hardware as we now have WIFI on 2.4GHz and 5GHz with WIFI 6 and 7 looming on the horizon, Bluetooth devices (with billions of devices in the world and counting) and GSM towers. In addition, we must combine it with a GPS device to save their location.

As you can see in the image, I use different devices for Wardriving and Radio Frequency (RF) audits from my company VULNEX. And what is shown here is not all the gadgets I use 😊 With these devices we can perform everything from wardriving to sophisticated RF attacks (a story for another day).

Starting from the left below we have:

  1. Flipper Zero + WIFI Devboard
  2. Raspberry PI Zero + Pwnagotchi
  3. AWUS036NEH
  4. AWUS036NHA
  5. M5 Stack Fire + ESP32 WiFi Hash Monster
  6. Google Píxel 5 + WiGLE WiFi Wardriving
  7. Hack5 WIFI Pineapple Nano
  8. Wardriving Kit (463n7 Driver kit & Wardriver)
  9. AWUS1900
  10. Raspberry Pi 4 + touch screen

Do you want to get started in wardriving? My advice is that you buy an Android phone (it doesn’t have to be expensive or top of the range) and install the WiGLE WiFi Wardriving App. It is the fastest and most comfortable way to enter this fascinating world. As you progress you can expand your collection of wardriving devices.

What would you like me to delve into in another article?

Merry Christmas and don’t forget the ABC of wardriving: “Always Be Collecting” 😊

@simonroses

Posted in Hacking Etico, RADIO, RF, Security, Technology, Wireless | Tagged , , , , , , | 1 Comment

Fun in a Wild West shooting range with the Flipper Zero

Posted on September 29, 2023 by Simon Roses

For years I always thought about hacking the classic shooting range set in the Wild West powered by infrared shotguns. We can find these shooting ranges in amusement parks and fairs. Well, that moment has come and using the Flipper Zero. A security and pentesting device designed for ethical hackers and IT security professionals that fits in your pocket.

If you want to know in detail the infrared capabilities of the Flipper Zero for remote control, signal analysis and device emulation, I recommend reading my article about it here: Infrared Dominance with Flipper Zero.

Below are some images of the shooting range and videos of the hack, where we observe that when we send the signal previously captured from a shotgun many infrared sensors are activated at the same time.

Videos

Disclaimer: I am not responsible for any misuse of the information presented here.

Here I leave you the signal captured in an .IR file for the Flipper Zero.

Filetype: IR signals file Version: 1</p> <h1></h1> <p>name: Kat type: raw frequency: 38000 duty_cycle: 0.330000 data: 470 373 889 376 886 800 462 381 892 795 467 798 464 801 461 382 891 796 467 377 885 379 883 804 469 14718 467 377 885 379 883 804 469 374 888 799 463 802 460 804 469 375 887 799 463 380 882 384 889 798 464 14723 461 381 892 374 888 798 464 379 883 804 458 806 467 799 463 380 882 804 469 375 887 378 884 802 460 14727 468 375 887 377 885 802 460 383 890 797 465 800 462 803 459 384 889 798 464 379 883 381 892 796 466 14720 464 378 884 381 881 806 467 376 886 800 462 803 459 806 467 376 886 801 461 804 469 796 466 799 463

The next step will be to test this hack with the powerful IR Blaster that expands the infrared capabilities of the Flipper Zero.

The conclusion: never leave home without the Flipper Zero 😊

Leave in comments if you would like to see more articles about the Flipper Zero and what topics.

@simonroses

Posted in Uncategorized | Leave a comment